IIS Ciphers-Inbound vs. Outbound?

Hey all
We are in the process of implementing Alert Logic in our environment. This particular portion of the environment is behind a load balancer and firewall. In order for Alert Logic to be able to read the traffic behind the load balancer, we needed to disable Diffie-Hellman (DHE) and elliptical curve Diffie-Hellman key exchanges.
So, I did this any I am able to indeed verify that applications hosted on that server on IIS are not using DHE/ECDH.
I ran into a problem however when I am making outbound HTTPS calls from Epicor server-side functions (hosted on that server) to the internet, and I’m getting a generic handshake SSL/TLS error.
When I re-enable DHE/ECDHE, the errors go away and I can call outbound HTTPS connections to my hearts content.

This is a layered problem in that we believe the load balancer still has DHE turned on, but you’d think it would be able to negotiate downward.
All that is to say; can IIS handle inbound traffic without DHE and outbound traffic with DHE, or is it all the same since it’s at the OS level?

what does IIS Crypto shows for key exchange?

Hey Olga,

Currently, because I have them turned ON again to continue development, my key exhanges look like this:

When I had them OFF, they looked like this:

The only other variable was I also added a couple of parameters to the registry at local machine>>CurrentControlSet>Services>HTTP>Parameters because I was getting Chrome issues accessing hosted application on Chrome.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
“EnableHttp2Tls”=dword:00000000
“EnableHttp2Cleartext”=dword:00000000

Do you remove DH* cipher suites as well?

They appear to be…


Hmm, except the ECDHE ones